<clickhouse>
    <!-- See also the files in users.d directory where the settings can be overridden. -->

    <!-- Profiles of settings. -->
    <profiles>
        <!-- Default settings. -->
        <default>
           <!-- 最大使用内存,设置总体内存的50%，单位字节-->
           <max_memory_usage>{{ max_memory_usage }}</max_memory_usage>
           <!-- 用户查询最大使用内存，即除系统内部执行的sql外 -->
           <max_memory_usage_for_user>{{ max_memory_usage_for_user }}</max_memory_usage_for_user>
           <!-- 整个ck服务最大使用内存,24GB-->
           <max_memory_usage_for_all_queries>25769803776</max_memory_usage_for_all_queries>
           <!-- 使用压缩缓存 -->
           <use_uncompressed_cache>0</use_uncompressed_cache>
           <!-- 最大线程数，可适当根据服务器性能调节 -->
           <max_threads>{{ ansible_processor_vcpus * 2 }}</max_threads>
           <max_bytes_before_external_sort>0</max_bytes_before_external_sort>
           <!-- 线程池大小，太小会影响查询性能 -->
           <background_pool_size>8</background_pool_size>
           <!-- join查询时发生异常会终止，尽量避免join查询！ -->
           <joined_subquery_requires_alias>0</joined_subquery_requires_alias>
           <!-- 遇到错误是否直接停止，生产环境强烈推荐配置，否则可能引发CPU打满等问题 -->
           <join_overflow_mode>break</join_overflow_mode>
           <!-- 最大group行数 -->
           <max_rows_to_group_by>10000000000</max_rows_to_group_by>
           <!-- 最大查询数 -->
           <max_query_size>5242880</max_query_size>
           <!-- 可提高group的查询速率 -->
           <group_by_overflow_mode>any</group_by_overflow_mode>
           <!-- 查询结果超过内存限制时抛出异常 -->
           <result_overflow_mode>throw</result_overflow_mode>
           <!-- 发生其他超过内存限制时终止操作 -->
           <distinct_overflow_mode>break</distinct_overflow_mode>
           <!-- 最大group字节数 -->
           <max_bytes_before_external_group_by>50000000000</max_bytes_before_external_group_by>
           <!-- 插入线程数 -->
           <max_insert_threads>{{ ansible_processor_vcpus }}</max_insert_threads>
           <load_balancing>random</load_balancing>
           <distributed_product_mode>global</distributed_product_mode>
        </default>

        <!-- Profile that allows only read queries. -->
        <readonly>
            <readonly>1</readonly>
        </readonly>
    </profiles>

    <!-- Users and ACL. -->
    <users>
        <!-- If user name was not specified, 'default' user is used. -->
        <default>
            <!-- See also the files in users.d directory where the password can be overridden.

                 Password could be specified in plaintext or in SHA256 (in hex format).

                 If you want to specify password in plaintext (not recommended), place it in 'password' element.
                 Example: <password>qwerty</password>.
                 Password could be empty.

                 If you want to specify SHA256, place it in 'password_sha256_hex' element.
                 Example: <password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex>
                 Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July 2019).

                 If you want to specify double SHA1, place it in 'password_double_sha1_hex' element.
                 Example: <password_double_sha1_hex>e395796d6546b1b65db9d665cd43f0e858dd4303</password_double_sha1_hex>

                 If you want to specify a previously defined LDAP server (see 'ldap_servers' in the main config) for authentication,
                  place its name in 'server' element inside 'ldap' element.
                 Example: <ldap><server>my_ldap_server</server></ldap>

                 If you want to authenticate the user via Kerberos (assuming Kerberos is enabled, see 'kerberos' in the main config),
                  place 'kerberos' element instead of 'password' (and similar) elements.
                 The name part of the canonical principal name of the initiator must match the user name for authentication to succeed.
                 You can also place 'realm' element inside 'kerberos' element to further restrict authentication to only those requests
                  whose initiator's realm matches it.
                 Example: <kerberos />
                 Example: <kerberos><realm>EXAMPLE.COM</realm></kerberos>

                 How to generate decent password:
                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-'
                 In first line will be password and in second - corresponding SHA256.

                 How to generate double SHA1:
                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-'
                 In first line will be password and in second - corresponding double SHA1.
            -->
            <password>{{ ck_default_password }}</password>

            <!-- List of networks with open access.

                 To open access from everywhere, specify:
                    <ip>::/0</ip>

                 To open access only from localhost, specify:
                    <ip>::1</ip>
                    <ip>127.0.0.1</ip>

                 Each element of list has one of the following forms:
                 <ip> IP-address or network mask. Examples: 213.180.204.3 or 10.0.0.1/8 or 10.0.0.1/255.255.255.0
                     2a02:6b8::3 or 2a02:6b8::3/64 or 2a02:6b8::3/ffff:ffff:ffff:ffff::.
                 <host> Hostname. Example: server01.clickhouse.com.
                     To check access, DNS query is performed, and all received addresses compared to peer address.
                 <host_regexp> Regular expression for host names. Example, ^server\d\d-\d\d-\d\.clickhouse\.com$
                     To check access, DNS PTR query is performed for peer address and then regexp is applied.
                     Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address.
                     Strongly recommended that regexp is ends with $
                 All results of DNS requests are cached till server restart.
            -->
            <networks>
                <ip>::/0</ip>
            </networks>

            <!-- Settings profile for user. -->
            <profile>default</profile>

            <!-- Quota for user. -->
            <quota>default</quota>

            <!-- User can create other users and grant rights to them. -->
            <access_management>1</access_management>

            <!-- User can manipulate named collections. -->
            <named_collection_control>1</named_collection_control>

            <!-- User permissions can be granted here -->
            <!--
            <grants>
                <query>GRANT ALL ON *.*</query>
            </grants>
            -->
        </default>
    </users>

    <!-- Quotas. -->
    <quotas>
        <!-- Name of quota. -->
        <default>
            <!-- Limits for time interval. You could specify many intervals with different limits. -->
            <interval>
                <!-- Length of interval. -->
                <duration>3600</duration>

                <!-- No limits. Just calculate resource usage for time interval. -->
                <queries>0</queries>
                <errors>0</errors>
                <result_rows>0</result_rows>
                <read_rows>0</read_rows>
                <execution_time>0</execution_time>
            </interval>
        </default>
    </quotas>
</clickhouse>
